Date: Mon, 17 Nov 2014 13:48:39 +0100 From: Raphael Geissert <geissert@...ian.org> To: Open Source Security <oss-security@...ts.openwall.com> Subject: Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less On 17 November 2014 13:33, Hanno Böck <hanno@...eck.de> wrote: [...] > What should we do with that? > a) is it an unappropriate use of less to view untrusted files and we > should teach users so? (I seriously never would've thought of that - and > which average "just learned how to use the shell" user would've?) > b) tell linux distros that lesspipe is insecure and shouldn't be > enabled? > c) fuzz all the tools in there and report at least the > low-hanging-fruit-bugs? (and then maybe try to replace the > "they-don't-fix-bugs-or-don't-have-a-dev-any-more"-tools with more > secure ones) d) acknowledge the fact that most tools were not "designed for security" and that we should talk about mitigation. It's about risk analysis. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.